Brian Chess [EMAIL PROTECTED] wrote on 2007/04/09 13:31:04:
Hi Frederik,
Hi Brian,
You're right that IE does not have the setter methods. You're also
right
that hijacking the Object() or Array() constructor method would be
enough to
pull off the attack. The bad (good?) news is that IE doesn't call those
methods unless an object is explicitly created with the new keyword.
We
got this wrong when we looked at it initially, which is why we said the
code
could be ported to IE. We're going to go back and fix that in the
paper.
Thanks for your reply. Since there is much more to JavaScript than that I
originally anticipated, I thought we missed something in our experiments.
Of course, any JavaScript data transport format that explicitly calls a
function is vulnerable in all browsers. Over the last week or two I've
been
learning that people are moving data around using a lot more than just
JSON,
though JSON is the clear front-runner.
Would you mind sharing the different data formats you came across for
exchanging data in mashups/Web 2.0? Considering the challenges you
recently discovered, it might be good to have such an overview to look at
it from a security point of view.
Brian
Frederik
---
Frederik De Keukelaere, Ph.D.
Post-Doc Researcher
IBM Research, Tokyo Research Laboratory___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___